Method and arrangement for enabling the use of a consumable unit

ABSTRACT

In a method for enabling the use of a consumable unit in a consumption device of a consumption arrangement, a first item of authorization information assigned to the consumable unit is transmitted from the consumption arrangement to a remote data center. The data center implements a first verification of the first item of authorization information and, as a function of this verification, a second item of authorization information assigned to the consumable unit is generated. The second item of authorization information is transmitted to the consumption arrangement, which implements a second verification of the second item of authorization information, dependent on which use of the consumable unit in the consumption device is enabled. The outcome of either the first or second verification is also used for an accounting for use of the consumable unit when, the first verification indicates that the consumable unit was previously unused.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a method for enabling the use of aconsumable unit containing a consumable medium in a consumption deviceof a consumption arrangement, in particular a franking machine, in whichin a first transmission step a first item of authorization informationassigned to the consumable unit is transmitted by a data processing unitof the consumption arrangement via a communications network to a remotedata center and in a first verification step in the data center averification of the first item of authorization information takes place.In an authorization step in the data center as a function of the outcomeof the first verification step a second item of authorizationinformation assigned to the consumable unit is generated, which, in asecond transmission step, is transmitted via a communications network tothe data processing unit. In a second verification step, a verificationtakes place in the data processing unit of the second item ofauthorization information, wherein then in an enabling step in the dataprocessing unit as a function of the outcome of the second verificationstep enabling the use of the consumable unit in the consumption devicetakes place. Further, in an accounting step as a function of the outcomeof the first verification step and/or the second verification stepaccounting takes place for enabling the use of the consumable unit inthe consumption device. The invention also relates to a correspondingarrangement for performing the method according to the invention and adata processing device that constitutes a component of this arrangement.

2. Description of the Prior Art

In a large number of applications, in which a physical representation ofcertain data (for example the printing out of data or similar) isgenerated, consumable materials are used for the generation of thisphysical representation, having certain properties, in order toguarantee a specified quality of the representation and/or optionally inconjunction with other features of the representation to prove theauthenticity of the data reproduced or the authorization to generate thereproduction. Thus for example in modern franking machines as a rulespecial inks or toners specified by the postal service concerned areused in order to generate a validate franking imprint. The inks ortoners used can also have certain security features that are invisibleto the naked eye (such as for example fluorescent particles or similar).

In order to ensure that in connection with such a reproductionexclusively authorized consumable materials are used, a number ofmethods are known which should guarantee that only authorized consumableunits (for example ink cartridges, ribbon cartridges, toner cartridges,etc.) are enabled for use in the consumption devices concerned.

Inter alia, in a number of methods applied locally in the frankingmachine, as known for example from EP 1 237 725 B1, authorizationinformation stored in a memory of the consumable unit is verified in thefranking machine, for example a digital signature of the manufacturer ofthe consumable unit is verified via specific information assigned to theconsumable unit. Only if this verification is successful is the use ofthe consumable unit enabled. Otherwise printing is disabled. Similarmethods are known from EP 1 132 868 A1 and EP 0 875 862 A2.

In other methods such as for example those known from EP 1 103 924 B1, adata center compares a code word sent by a franking machine via acommunications network with a list of valid code words available in thedata center. If this verification is unsuccessful, counter measuresincluding disablement of the franking machine for use of the consumableunit can be initiated. A similar method is also known from DE 100 23 145A1. In a further similar method, which is known from EP 1 103 925 B1,the franking machine holds a list of valid code words for thecomparison.

Finally, from EP 1 103 925 A1 a generic method is known in whichfollowing use of an authorized consumable unit for a specific number ofimprints further use of the franking machine is inhibited, even ifsufficient ink is left for continued usage. Further use of the remainingink is made possible, however, if in an enabling process in theinteraction between the franking machine and a data center, against acorresponding payment by the user in an accounting process, acorresponding enablement takes place.

Common to all these methods is that correspondingly high effort isnecessary in order to ensure that in the consumption device onlyauthorized consumable units are used. This results in comparatively highcosts for the individual consumable unit. Here in addition to someextent there is only limited protection, if any, against the use ofpirate products or of previously authorized consumable units that havebeen refilled by third parties. Such unauthorized consumable units aretypically sold at considerably lower prices than authorized consumableunits, so that in this regard the economic pressure to achieve greatersecurity increases further and the costs are forced up.

Thus in the memory known from EP 1 103 925 A1 of the consumable unit infact the consumption or the residual quantity left is detected and theuse of the consumable unit is inhibited as soon as a certain residualquantity is reached. In many cases, however, it is possible tomanipulate the memory of the consumable unit. As a counter measure tothis, memories with write once memory areas can be used although thesedrive up the costs. In addition third parties may try to exchange the“used” memory for a possibly even structurally identical “unusedmemory”. Here again various counter measures can be taken, althoughthese again push up the costs.

SUMMARY OF THE INVENTION

An object of the present invention is to provide a method and anarrangement as well as a data processing device for such an arrangementof the kind mentioned at the beginning, which does not, or at least onlyto a lower extent, have the abovementioned disadvantages and in aparticularly cost-effective manner provides a high level of protectionagainst the use of unauthorized consumable units.

The present invention achieves this object with a method according toclaim 1. It also achieves this object with an arrangement according toclaim 14.

The present invention is based on the technical teaching that a simpleand cost-effective way of providing a high level of protection againstthe use of unauthorized consumable units is possible if the accountingtakes place if during the verification of the first item ofauthorization information assigned to the consumable unit it isascertained in the data center that the consumable unit has previouslybeen unused. In this way it is possible for the user of the consumableunit, for example, only at the time of the first verification of theconsumable unit, via the accounting process to pay a corresponding usagefee, so that the selling price of the consumable unit initially andwithout any economic disadvantage for the provider of authorizedconsumable units can be kept low. Subsequent payment with the initialverification or use of the consumable unit considerably reduces theeconomic incentive to bring into circulation unauthorized consumableunits, since the cost advantage of unauthorized consumable units overauthorized consumable units can at least in large measure be eliminatedand in addition by means of the verification at the data center in asimple manner unauthorized consumable units can be detected andrejected.

It is in particular sufficient in the data center to simply maintain alist with the data that are used in the first verification step forauthorized consumable units. Here, with this data that is available inthe data center, in the first verification step simple plausibilitychecks can be carried out which allow manipulations or otherdiscrepancies in the data assigned to the consumable unit to bediscovered and thus unauthorized consumable units or those subsequentlymanipulated in an unauthorized manner to be detected and then optionallynot enabled for use.

For example, an unauthorized refilling of a consumable unit with theconsumable medium can be detected in a simple manner in that the usagelevel of the consumable unit (the detection of which can in any event beused for the detection of the unused level of the consumable unit inconnection with the accounting) is logged in a corresponding data recordin the data center for the respective consumable unit after theregistration (carried out in course of or following the initialverification) of the consumable unit in the data center. If a furtherverification takes place at a later point in time and an implausiblefill level of the consumable medium in the consumable unit (for examplea higher fill level than for the last verification) results, then thislead to the conclusion of an unauthorized manipulation with enabling theuse of the consumable unit being rejected.

This registration of the consumable unit and the subsequent logging ofcertain data assigned to the consumable unit, which for its part iscalled upon as comparative data during subsequent repeat verificationsof the data originating from the consumable unit, also has the advantagethat both the data stored, for example, in a memory of the consumableunit and the memory itself can be of a relatively simple design. Amanipulation or exchange of the memory of the consumable unit and of thedata in this memory are, thanks to the manipulation-proof storage of thecomparative data in the data center, reliably detected. The same appliesif the data of an authorized consumable unit, for example its valididentification, are copied, since by means of the logging in the datacenter parallel use of a valid identification for several consumableunits can be detected and thus avoided.

According to one aspect the present invention therefore relates to amethod for enabling the use of a consumable unit containing a consumablemedium in a consumption device of a consumption arrangement, inparticular a franking machine, in which in a first transmission step afirst item of authorization information assigned to the consumable unitis transmitted by a data processing unit of the consumption arrangementvia a communications network to a remote data center and, in a firstverification step in the data center, a verification of the first itemof authorization information takes place. In an authorization step, inthe data center as a function of the outcome of the first verificationstep, a second item of authorization information assigned to theconsumable unit is generated, which is then transmitted in a secondtransmission step via a communications network to the data processingunit. In a second verification step in the data processing unit averification of the second item of authorization information takes placeand, in a subsequent enabling step as a function of the outcome of thesecond verification step, enabling the use of the consumable unit in theconsumption device. Here, in an accounting step as a function of theoutcome of the first verification step and/or the second verificationstep, accounting takes place for enabling the use of the consumable unitin the consumption device, wherein the accounting step takes placeprovided that, in a detection step of the first verification step, it isestablished that the consumable unit was previously unused.

Detection of the fact that the consumable unit is unused, can take placein any suitable manner. Preferably the first item of authorizationinformation comprises an, in particular unique and unambiguous, firstitem of identification information of the consumable unit (for example aunique and unambiguous serial number of the consumable unit), whereinthe ascertainment that the consumable unit is unused takes place in theascertainment step using the first item of identification information.In the simplest case it is detected that the first item ofidentification information for the first time has been transmitted froma remote data processing unit to the data center and used in a firstverification step. For this ascertainment however, as will beillustrated in the following, additionally or alternatively furthercriteria can be applied.

In preferred variants of the invention the first item of identificationinformation is compared with a first comparative item of identificationinformation stored in the data center, wherein the ascertainment of anunused consumable unit in the ascertainment step only takes place, iffor the first time a definable relationship between the item ofidentification information and the first comparative item ofidentification information exists. Thus, for example, in the simplestcase as the first comparative item of identification information an itemof information that is identical to the first item of identificationinformation can be stored in the data center, so that only upon thefirst ascertainment of the identity of both these items of informationis an unused consumable unit assumed.

It is particularly advantageous if the first item of authorizationinformation comprises a first item of fill level information, which isrepresentative of the quantity of the consumable medium available in theconsumable unit, and the ascertainment that the consumable unit isunused, using the first item of fill level information. For thispurpose, in the data center, a comparative item of fill levelinformation can be stored, which is compared with the transmitted firstitem of fill level information. If there is a definable relationshipbetween the first item of fill level information and the comparativeitem of fill level information, then the consumable unit is classifiedas unused and the accounting performed accordingly. Here, for thedeviation between the two compared items of fill level informationcertain tolerances can be envisaged, in order to take into account aplausible shrinkage of the consumable medium (for example throughnatural evaporation or similar) or tolerance values in the factoryfilling of the consumable units.

In doing so, of course a distinction can be made between the directionsof the deviation. So for a downward deviation, thus in the event that alower quantity is available than expected for an unused consumable unit,a greater deviation will be allowed than for an upward deviation, thusin a case in which a larger quantity is available than expected.Optionally, of course, it can also be provided that such an upwarddeviation always leads to a denial of use and thus with it a rejectionof the consumable unit.

In further preferred variants of the method according to the inventionthe first item of identification information comprises an item ofcontrol information, which is generated, in particular, using acryptographic means. The verification of the first item of authorizationinformation in the first verification step then comprises a verificationof whether a definable relationship between the item of controlinformation and a further part of the first item of identificationinformation exists, wherein enabling the use of the consumable unit onlytakes place if the definable relationship between the item of controlinformation and the further part of the first item of identificationinformation exists.

This item of control information avoids in a simple manner a third partybeing able to independently generate a valid first item ofidentification information. This increases the protection frommanipulation further, since in this case at worst a valid item ofidentification information is copied from an authorized consumable unitand can be transferred to other consumable units, wherein out of allthese consumable units with the same item of identification information(thus the originally authorized consumable unit and the copies made onthe basis of this) only one can be used.

The item of control information can be any suitable item of informationthat has been generated using a secret (thus an item of informationand/or algorithm known only the producer of the consumable unit). Thus,the item of control information can be generated by means of anysuitable cryptographic operations, in which such a secret is used as acryptographic code. A digital signature of at least part of the item ofidentification information may in particular be involved.

Similarly, in addition or alternatively, however, a cryptographicalgorithm, for example a so-called hash algorithm (such as for exampleSHA-1, SHA256, MD4 etc.), may simply be applied to at least part of theitem of identification information. Here the secret can consist of thefact that the cryptographic algorithm used, and/or the part of the itemof identification information, to which such a cryptographic algorithmis applied, is unknown to third parties. This in itself can also ensurea sufficient degree of security, since the reconstruction of theoriginal data even with a large quantity of items of identificationinformation produced according to this pattern would require a greatdeal of computational effort.

In further preferred variants of the method according to the invention,in the authorization step, in the data center in a registration step aregistration takes place of the first verification step in averification history stored in the data center and assigned to theconsumable unit, in particular, of the associated first item ofidentification information. This verification history allows in aparticularly simple manner the plausibility checks already mentioned,which can be carried out in order to detect manipulations of the data ofan authorized consumable unit and/or unauthorized consumable units.

The verification history assigned to the respective consumable unit orits item of identification information can basically comprise anyinformation which can be used for such plausibility checks. Here, itshall be understood that this information can be detected in the datacenter or transmitted to the data center in any suitable manner.Corresponding information detected in the data processing unit ortransmitted by this can in particular be incorporated in the first itemof authorization information.

Thus, for example, it can be provided that the verification historycomprises the number of first verification steps performed assigned tothe consumable unit or the associated first item of identificationinformation. In this way, therefore, a count can be kept of how often inthe past for the consumable unit concerned the first verification stephas already been carried out. In this case, initially in a particularlysimple manner, the ascertainment of an unused consumable unit or thedetection of the first performance of the first verification can takeplace, since all that has to be ascertained is that the counter of theverification history assigned to the consumable unit is at a value ofzero.

Likewise, with this number of first verification steps furthersecurity-related verifications can be performed. Thus, for example froma large number of first verification steps within a specified time spanpossible manipulations or attempted manipulations can be inferred andresponded to accordingly. Here, the response may range from a merewarning to the user of the consumption device to disablement of theconsumption device.

In further variants of the invention the verification history comprisesat least for the point in time of the current first verification steprepresentative verification time information. Through this detection andlogging of the point in time of the current first verification stepsimilarly the temporal course of the use of the consumable unit can beinferred and, thus, possible manipulations or attempted manipulationsand a corresponding response can be made as described above.

In particular, for the respective consumable unit an item of initialverification time information representative of the point in time of thefirst execution of the first verification step can be stored in theverification history. With this item of initial verification timeinformation it can, for example, be verified if a particular maximumusage time of the consumable unit has already been exceeded and then,again, a corresponding response can be made (issue of a warning message,disablement of use, etc.).

In preferred variants of the invention it is therefore provided that inthe first verification step a comparison of the current time informationwith the item of initial verification time information from theverification history assigned to the consumable unit is performed andenabling the use in the enabling step only takes place if a definablerelationship between the current time information and the item ofinitial verification time information exists, in particular, a timedifference resulting from the current time information and the item ofinitial verification time information is less than a definable maximumusage time of the consumable unit.

In addition, the verification history assigned to the respectiveconsumable unit can comprise a second item of identification informationassigned to the data processing unit. In this way, therefore, theregistration of the consumable unit can be linked to the consumptiondevice, with which it is used. The second item of identificationinformation can, for example, be sent as a component of the first itemof authorization information in the first transmission step.

In this way it is, for example, possible to allow the use of theconsumable unit only in combination with the consumption device withwhich its first registration took place. It is likewise possible todefine, in the data center, a group of consumption devices or dataprocessing units, for which the use of a consumable unit is authorized,provided that the first registration (thus the first execution of thefirst verification step) took place in connection with one of the dataprocessing units from this group. Thus, for example, the owner of agroup of franking machines can be allowed to use an authorizedconsumable unit in various franking machines of this group.

In preferred variants of the invention it is therefore provided that thefirst item of authorization information comprises a second item ofidentification information assigned to the data processing unit, in thefirst verification step a comparison of the second item ofidentification information and at least a previous second item ofidentification information from the verification history assigned to theconsumable unit is performed, which originates from a previousauthorization step, in particular, the last authorization steppreviously carried out, and enabling the use in the enabling step onlytakes place if a definable relationship between the second item ofidentification information and the previous second item ofidentification information exists, in particular the second item ofidentification information is identical to the previous second item ofidentification information.

In further preferred variants of the method according to the inventionthe verification history assigned to the respective consumable unitcomprises at least a first item of fill level information representativeof the current quantity of the consumable medium available. With thisitem of fill level information it is possible in a particularly simplemanner to detect manipulations of the consumable unit, in particular,unauthorized refilling of the consumable unit. Thus, for example, anincrease in the available quantity of the consumable medium is a clearindication of refilling of the consumable unit.

Similarly, a fill level that is constant or only falls slightly isindicative of such manipulation. In order to be able to recognise suchsituations easily, in advantageous variants of the invention, it can beprovided that the data processing unit, for example embedded in thefirst item of authorization information, provides information on thenumber of uses of the consumable unit since the last enabling step. Thisallows a simple plausibility check on the current fill level of theconsumable unit transmitted.

In preferred variants of the invention it is therefore provided that thefirst item of authorization information comprises a first item of filllevel information, which is representative of the quantity of theconsumable medium available in the consumable unit. In the firstverification step a comparison is made between the first item of filllevel information and an item of fill level limit information assignedto the consumable unit and/or at least a previous first item of filllevel information from the verification history assigned to theconsumable unit, which originates from a previous authorization step, inparticular the last authorization step previously carried out. Enablingthe use in the enabling step then only takes place if a definablerelationship between the first item of fill level information and theprevious first item of fill level information exists, in particular, theavailable quantity of the consumable medium is smaller than thepreviously available quantity of the consumable medium from the previousauthorization step.

Additionally or alternatively, in a definitive disabling step, apermanent disabling of use of the consumable unit can take place if adefinable relationship between the first item of fill level informationand the previous first item of fill level information exists, inparticular the available quantity of the consumable medium is greaterthan the previously available quantity of the consumable medium from theprevious authorization step, since this can be considered as a clearindication of unauthorized refilling of the consumable unit.

Additionally or alternatively, in a definitive disabling step apermanent disablement of the use of the consumable unit can take place,if a definable relationship between the first item of fill levelinformation and the item of fill level limit information exists, inparticular the available quantity of the consumable medium has reachedor fallen below a limiting quantity of the consumable medium defined bythe item of fill level limit information. In this way therefore a“consumable unit empty” state can be detected and use permanentlydisabled, in order to prevent unauthorized refilling and reuse of theconsumable unit.

This can be carried out in a particularly effective manner in that, inthe definitive disabling step, the consumable unit, in particular thefirst item of identification information, in the data center is assignedan item of disabling information, in the first verification step averification is performed, whether the consumable unit has been assignedan item of disabling information, and enabling the use only takes placein the enabling step, if the consumable unit does not have an item ofdisabling information assigned to it. In this way, therefore, theconsumable unit is registered in the data center as disabled or theconsumable unit is deregistered in the data center, in order to preventunauthorized refilling and reuse of the consumable unit. Alternativelythe first item of identification information (e.g. a serial number) cansimply be deleted from the list available in the data center of validfirst items of identification information (e.g. a list of valid serialnumbers).

In preferred further variants of the invention it is provided that thefirst transmission step takes place as a function of the occurrence ofat least one definable first event. Here, it can for example be a caseof any temporal event such as the reaching of a certain date, the expiryof a certain length of time or similar.

Additionally or alternatively, the at least one definable first eventcan preferably be a non-temporal event. Here also any non-temporal eventcan be applied. Thus for example the first event may be the creation ofa connection between data processing unit and the consumable unit. Inthis way for example it can be ensured in a simple manner that for eachuse of a consumable unit in the consumption device a verification takesplace of whether this is authorized and has not been manipulated.

Additionally or alternatively, the definable first event can be therelease of a connection between the data processing unit and theconsumable unit. In this way, for example, it can be ensured in a simplemanner that each time a consumable unit is removed from the consumptiondevice it is not only a verification that this is authorized and has notbeen manipulated that takes place. On the contrary, in this way, forexample, it can also be ensured that the verification history describedabove is updated (e.g. a stored item of fill level information etc. isupdated). An unauthorized refilling can in this way be effectivelyavoided.

Additionally or alternatively, the definable first event can be thereaching of a definable first number of uses of the consumable unitand/or the reaching of a definable first consumption of the consumablemedium and/or the reaching of a definable first quantity of theconsumable medium still available in the consumable unit. All thesevariants can serve to keep the verification history up to date and thuseffectively make more difficult or prevent an unauthorized refilling orother manipulation.

In preferred further variants of the invention it is provided that, in atemporary disabling step, a reversible disabling of use of theconsumable unit takes place as a function of the occurrence of at leastone definable second event. Here also it can be a case, for example, ofany temporal event, such as the reaching of a certain date, the expiryof a certain length of time or similar. Thus, for example, upon expiryof a certain length of time following initiation of a first transmissionstep the reversible disabling can take place.

Additionally or alternatively, the at least one definable second eventcan preferably be a non-temporal event. Here again any non-temporalevents can be used. Thus the at least one definable second event can bethe release of a connection between the data processing unit and theconsumable unit and/or the reaching of a definable second number of usesof the consumable unit and/or the reaching of a definable secondconsumption of the consumable medium and/or the reaching of a definablesecond quantity of the consumable medium still available in theconsumable unit.

Additionally or alternatively, the temporary disabling step can takeplace only if, following the last occurrence of the first event andprior to the occurrence of the second event, no enabling step takesplace. In other words, if an enabling step takes place on time then thedisablement does not occur.

The data transmission between the data processing unit and the datacenter can basically take place in any suitable manner, wherein anycommunications networks can be used which at least in part workwirelessly and/or at least in part in a wire-bound manner. Thecommunication can take place unencrypted. Preferably, howevercommunications secured against undetected unauthorized manipulation bycryptographic means are provided.

The first item of authorization information, preferably at least priorto the first transmission step and/or during the first transmissionstep, is secured by cryptographic means against undetected unauthorizedmanipulation. Additionally or alternatively, the second item ofauthorization information at least prior to the second transmission stepand/or during the second transmission step is secured by cryptographicmeans against undetected unauthorized manipulation.

In further preferred variants of the invention it is provided that thesecond item of authorization information at least comprises acryptographic certificate generated by the data center in theauthorization step, which in a verification step of the enabling step isverified by the data processing unit, and enabling the use takes placeas a function of the outcome of the verification step.

This cryptographic certificate is especially in the further procedurealso used in connection with a subsequent first verification step, inorder to check the authorization of the consumable unit. To this end,the cryptographic certificate assigned to the respective consumable unitwith its registration is preferably logged in the data center, in thatit is for example included in the verification history assigned to theconsumable unit. In further advantageous variants of the invention theverification history therefore comprises at least a part of the seconditem of authorization information, in particular the entire second itemof authorization information, wherein of course the cryptographiccertificate can then be included as a corresponding part of the seconditem of authorization information in the verification history assignedto the consumable unit.

In order to use the cryptographic certificate in connection with asubsequent first verification step, in order to check the authorizationof the consumable unit, the first item of authorization information forits part can then comprise a cryptographic certificate generated in apreceding authorization step, in particular directly preceding the firsttransmission step, wherein the previous cryptographic certificate can beverified in the first verification step, for example compared with thecertificate stored in the verification history. Optionally, however,additionally or alternatively, just a simple verification of thecertificate can take place.

In further preferred variants of the invention it is provided that inthe data processing unit after the enabling step a detection of theconsumption of the consumable medium takes place, in order then in asimple manner to allow the forwarding described above of a fill level orsimilar to the data center and the plausibility checks described.

For this, preferably using a use detected by the data processing unit ofthe consumable unit and/or a previous item of fill level information, atheoretical item of fill level information is identified, which isrepresentative of the theoretical quantity of the consumable mediumavailable in the consumable unit. Additionally or alternatively, forthis purpose by means of a detection unit an actual item of fill levelinformation is identified, which is representative of the actualquantity of consumable medium available in the consumable unit.

Here, the theoretical item of fill level information can be comparedwith the actual item of fill level information in the data processingunit in a fill level checking step and the theoretical item of filllevel information can be set to the value of the actual item of filllevel information, if the actual available quantity is less by adefinable first tolerance value than the theoretical available quantity.In other words, so that in this regard the “theoretical” value is resetto the “actual” value.

In a disabling step, however, disabling of use of the consumable unit bythe data processing unit can take place, if the actual availablequantity exceeds the theoretical available quantity by a definablesecond tolerance value, since this can be considered as an indication ofan unauthorized refilling of the consumable unit.

The accounting described above for the first verification and,optionally, registration of the consumable unit can take place in anysuitable way. Preferably, in the accounting step for performing theaccounting the content of at least one accounting memory is modified.This at least one accounting memory can be arranged in the dataprocessing unit. Thus, for example, a correspondingly secured accountingmemory that is available anyway in a franking machine can be used forthis accounting step, in that its register statuses are modifiedaccordingly. Additionally or alternatively, the at least one accountingmemory can be arranged in the data center, so that the accountingtherefore takes place there.

In preferred further variants of the invention it is provided that, in aproduction step prior to the first verification step, a plurality offirst consumable units and second consumable units is produced, wherein,in particular in a memory of a first consumable unit, a first item ofidentification information of the first consumable unit is assigned afirst identifier and, in particular in a memory of a second consumableunit, a first item of identification information of the secondconsumable unit is assigned a second identifier, and at least averification of a definable relationship between first items ofinformation and second items of information takes place in the firstverification step and/or in the authorization step and/or in the secondverification step and/or in the enabling step and/or in a fill levelverification step as a function of the identifier assigned to theconsumable unit. Additionally or alternatively, at least a monitoring ofthe occurrence of a definable event as a function of the identifierassigned to the consumable unit takes place. In this way in a simplemanner it is possible to produce or define consumable units, which arehandled differently in use, for example having different privileges,which manifest themselves in tolerance ranges of different extentsduring the individual verifications or similar.

The present invention further relates to an arrangement for performingthe method according to the invention described above with a consumableunit containing a consumable medium, a consumption arrangement, inparticular a franking machine, which comprises a consumption devicedesigned for use of the consumable unit and an associated dataprocessing unit for control of use of the consumable unit, as well as adata center remote from the consumption arrangement, which via acommunications network can be connected to the data processing unit. Thedata processing unit is designed so that in a first transmission step ittransmits a first item of authorization information assigned to theconsumable unit via the communications network to the remote datacenter, while the data center is designed so that, in a firstverification step, it performs a verification of the first item ofauthorization information. The data center is further designed togenerate, in an authorization step as a function of the outcome of thefirst verification step, a second item of authorization informationassigned to the consumable unit. In addition, the data center isdesigned so that in a second transmission step it transmits the seconditem of authorization information via a communications network to thedata processing unit. The data processing unit is in turn designed sothat, in a second verification step, it carries out a verification ofthe second item of authorization information and, in an enabling step asa function of the outcome of the second verification step, carries outenabling the use of the consumable unit in the consumption device. Inaddition, the data processing unit and/or the data center is designed sothat, in an accounting step as a function of the outcome of the firstverification step and/or the second verification step, it performs anaccounting for the enabling for use of the consumable unit in theconsumption device, wherein the data processing unit and/or the datacenter is designed to perform the accounting step, provided that in anascertainment step of the first verification step it is ascertained thatthe consumable unit was previously unused. In this way the variants andadvantages described above can be achieved to the same degree, so thatin this respect reference is made to the above statements.

Finally, the present invention relates to a data processing device,which is designed as the data processing unit of the arrangementaccording to the invention with the features described above, wherein itis in particular designed to perform the accounting step. Finally, thepresent invention relates to a data processing device which is designedas the data center of the arrangement according to the invention withthe features described, wherein it is in particular designed to performthe accounting step. In this way also the variants and advantagesdescribed above can be achieved to the same degree, so that in thisrespect reference is made to the above statements.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic representation of a preferred configuration of thearrangement according to the invention, with which a preferred variantof the method according to the invention for enabling the use of aconsumable unit can be performed.

FIG. 2A is the first part of a flow chart of a preferred variant of themethod according to the invention, which can be carried out with thearrangement from FIG. 1.

FIG. 2B is the second part of the flow chart of the method from FIG. 2A.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

In the following by reference to FIGS. 1, 2A and 2B (which in thefollowing are also referred to jointly as FIG. 2) a preferredconfiguration of the arrangement 101 according to the invention isdescribed, with which a preferred variant of the method according to theinvention for enabling the use of a consumable unit is carried out.

As can be inferred from FIG. 1, the arrangement 101 comprises a seriesof k consumption arrangements in the form of franking machines (FM), towhich inter alia a first franking machine 102, a second franking machine103 and a k^(th) franking machine 104 belong. The franking machines 102to 104 can in each case be connected via a communications link, forexample a data network 105 (e.g. the Internet), with a remote datacenter 106.

The franking machine 102 comprises inter alia a data processing unit inthe form of a first processor 102.1, a first security module 102.2, afirst memory 102.3, an input/output unit 102.4, a communications module102.5 and a consumption device in the form of a print module 102.6,which in each case are connected with the first processor 102.1.

The print module 102.6 serves in the normal way, controlled by theprocessor 102.1, to generate a franking imprint for an item of mail. Forthis purpose in addition to a print head controller (not shown in moredetail) connected with the processor 102.1 it has a print head operatedby the print head controller. In this case the print head is a componentof a consumable unit (VE) used in the print module 102.6 in the form ofan ink cartridge 107.

The ink cartridge 107 contains in a reservoir as the consumable materialan ink specified by the postal service for generating franking imprints.The ink can be characterised by a special colour (e.g. the postal blueof Deutsche Post AG) but also by other so-called security features (suchas for example fluorescent particles or similar).

It shall be understood that with other variants of the invention it canalso be provided that the print head is designed as a fixed component ofthe print module and only the consumable material (thus for example theink, toner, ribbon, etc.) is held in the consumable unit (VE).

The ink cartridge 107 also comprises a second memory 107.1, which in thefull state of the ink cartridge 107 used in the print module 102.6 via acontacting unit is connected with the first processor 102.1. Here thesecond memory 107.1 and/or the contacting unit can be applied to the inkcartridge 107 in such a way that the print head of the ink cartridge 107can no longer be correctly operated, if the second memory 107.1 has beenphysically manipulated, thus for example removed and re-inserted orreplaced by another memory. Such a security mechanism can be omitted inother variants of the invention, however.

The first security module 102.2 is used in the normal way to provide thesecurity-related postal services necessary for franking, such as forexample the secure accounting of the franking sums but also thecryptographic securing of certain postal data. The first security module102.2 also allows cryptographic operations to be performed for thepurposes of securing further data, securing of communications via thedata network 105 and decryption and verification of cryptographicsecured data received.

In order to perform cryptographic operations, in particular the secureaccounting for the franking sums the first security module 102.2comprises in a sufficiently known manner a processor, an encryptionmodule for performing cryptographic operations (using cryptographicalgorithms and parameters) and corresponding (optionally redundant)registers for storing the accounting data, which are arranged in an areasecured physically and logically against unauthorized access.

The data center 106 comprises a second data processing unit 106.1, asecond security module 106.2, a communications module 106.3, a firstdatabase 106.4, a second database 106.5 and a third database 106.6,which in each case are connected to the second processing unit 106.1.Here, the second security module 106.2 provides in a sufficiently knownmanner security-related services such as for example cryptographicprotection, decryption and verification of certain postal or non-postaldata or the protection of communications via the data network 105.

The data center 106 can also via the data network 105 be connected witha series of n remote data centers of producers of consumable units (VE),thus ink cartridges 107. These include inter alia a first producer'sdata center 108 and an n^(th) producer's data center 109.

As will be explained in the following using the first franking machine102 (representative of all other franking machines), with thearrangement 101 for the first franking machine 102 a method according tothe invention for enabling the use of the ink cartridge 107 in the printmodule 102.6 of the first franking machine 102 is carried out.

Initially in a step 110.1 the sequence of operations of the methodaccording to the invention is started. In a step 110.2 the production ofauthorized consumable units then takes place in the producers' datacenters 108 to 109. For this purpose the respective producer's datacenter 108, 109 through cryptographically secured communications via thedata network 105 requests a certain number of valid first items ofidentification information in the form of valid serial numbers (SN) fromthe data center 106.

The data center 106 generates these valid serial numbers as unique andunambiguous items of identification information of the respective inkcartridge 107 according to a predefined scheme, wherein each serialnumber SN in the present example is 256 bits long and consists of threeparts (SN1, SN2 and SN3). It shall be understood, however, that withother variants of the invention any other length or another structurecan be selected.

In the present example the first part SN1 (here: bits 0 to 7) of theserial number is an identifier allocated to the respective producer andthe type of ink cartridge. The second part SN2 (here: bits 8 to 127) ofthe serial number is a unique integer issued in increasing value (thus1, 2, 3 . . .). The third part SN3 (here: bits 128 to 255) of the serialnumber is comprised in the present example the lowest 128 bits of acryptographic operation, which applied the second security module 106.2to a data packet formed by the first part SN1, the second part SN2 and asecret code SK. The secret code SK contains the second security module106.2 here from the first database 106.4 of the first data center 106.

In the present example it is a case with the cryptographic operation ofthe application of a hash algorithm (for example SHA 1, SHA 256, MD4etc.), here of SHA 256. It shall be understood, however, that for othervariants of the invention another cryptographic operation, for example asimple encryption or a digital signature via parts SN1, SN2 can also beperformed. Of course, any combinations of such cryptographic operationscan also be applied.

The third part SN3 of the serial number SN thus represents an item ofcontrol information, which the data center 106 for example can use at alater point in time in order to verify the authenticity of the serialnumber SN.

The respective producer's data center 108, 109 then receives via thedata network 105 the serial numbers SN requested, while the data center106 archives the serial numbers in the second database 106.5. It shallbe understood, however, that such archiving of the serial numbers canoptionally also be dispensed with since the serial numbers can havetheir authenticity verified using the item of control information SN3.

The respective producer's data center 108, 109 in each case writes sucha serial number SN to the second memory 107.1 of the respective inkcartridge 107. Then the cartridges are sold in the conventional way tothe users of the franking machines 102 to 104, wherein the inkcartridges in the present example are sold at a considerably lowerselling price than is normally the case.

In a step 110.3 in the respective franking machine 102 to 104 it isverified if an ink cartridge 107 has been used in the print module102.6. Such use of an ink cartridge 107 within the meaning of thepresent invention constitutes a (non-temporal) event, which in a step110.4 triggers the generation and transmission of a first item ofauthorization information AUT1 from the franking machine 102 to the datacenter 106.

It shall be understood that with other variants of the inventionadditionally or alternatively to this non-temporal event of the use ofthe ink cartridge any other temporal or non-temporal events can beprovided for which trigger the generation and transmission of the firstitem of authorization information AUT1. Thus for example in at regularintervals an attempt can be made to generate and transmit the first itemof authorization information AUT1, wherein then for example in theabsence of an ink cartridge only (optionally with additional informationon the status of the franking machine) an item of status information canbe transmitted to the data center, that no cartridge is inserted.

Here, the first item of authorization information AUT1 comprises inaddition to the serial number SN read out from the second memory 107.1of the ink cartridge 107 by the processor 102.1 a first item of filllevel information FS similarly read out from the ink cartridge 107and/or the first memory 102.3, which is representative of the currentfill level of the ink in the reservoir of the ink cartridge 107 (thus ofthe available quantity of ink).

This fill level FS can be obtained by a separate ink sensor in thereservoir of the ink cartridge 107. Similarly, however, it is possibleto read out the fill level FS from the second memory 107.1 and/or thefirst memory 102.3, where in the ink cartridge 107 electronic fill levelmonitoring is provided, and with which each use of ink (for example viaadequately known droplet counting or similar), preferably irreversibly,certain memory areas of the second memory 107.1 are written to, so thatan item of fill level information that is representative of the currentfill level FS can always be inferred from the second memory 107.1. Thisfill level FS is preferably also documented in parallel (preferablycryptographically secured against undetected unauthorized manipulation)in the first memory 102.3, as will be explained in more detail below.

As a further component the first item of authorization information AUT1in the present example has a second item of identification informationassigned to the franking machine 102 in the form of a (preferablynaturally unique and unambiguous) second serial number SNFM of thefranking machine 102 attached.

The first item of authorization information AUT1 is compiled by thefirst processor 102.1, optionally cryptographically protected by thesecurity module 102.2 and transmitted via the communications module102.5 to the data center 106 in a first transmission step of step 107.4.

In a first verification step 110.5 the data center 106 initiallyverifies in a sub-step 110.6, that the serial number SN of the inkcartridge 107 transmitted with the first item of authorizationinformation AUT1 is a valid serial number. To do this the processor106.1 of the data center 106 compares the current serial number SNtransmitted with the serial numbers archived in the second database106.5.

If there is correspondence here with an archived serial number, then theserial number is valid. If this is not the case, in a further step ofthe sub-step 110.6 the current transmitted serial number by means of itsitem of control information SN3 and by accessing the first database106.4 can be have its authenticity verified. If this verification isalso negative, then in a sub-step 110.8 of a first authorization step110.7 a second item of authorization information AUT2 with negativecontents is generated which then leads to enabling of use of the inkcartridge 102 being denied.

Here it shall be understood that this second verification using the itemof control information SN3 may also be absent. Equally, however, it canfor example in the absence of archiving of the generated serial numbersin the data center, represent the only verification of the currenttransmitted serial numbers.

If at least one of the verifications in sub-step 110.6 is positive, in afurther sub-step 110.9 of the first verification step 110.6 a check onthe plausibility of the further information from the first item ofauthorization information AUT1 is made.

For this in sub-step 110.9 initially the transmitted first item of filllevel information FS is checked for plausibility. Thus in the thirddatabase 106.6 an entry (106.7 to 106.8) allocated to the respectiveserial number SN issued by the data center may be present, which interalia shows the desired fill level SFS and corresponding upper and lowerfill level tolerances TFS for an unused ink cartridge. If thetransmitted item of fill level information FS is outside the tolerancerange calculated from these, thus a specified item of fill level limitinformation, then likewise a jump may be made to step 110.8 and a seconditem of authorization information AUT2 with negative content generated,which then leads to enabling of use of the ink cartridge 102 beingdenied. For this the second item of authorization information AUT2 cancomprise an item of negative enabling information FRIN, which in thefranking machine 102 subsequently leads to enabling of use of the inkcartridge 107 being denied.

As a further plausibility check in sub-step 110.9 a verification of thetransmitted serial number of the franking machine SNFM can take place.Here again for example using corresponding entries in the third database106.6 it can be verified if the ink cartridge 107 is authorized for usein franking machine 102. If this is not the case, similarly a jump canbe made to step 110.8 and a second item of authorization informationAUT2 with negative content (thus with an item of negative enablinginformation FRIN) generated.

It shall be understood that in sub-step 110.9 the plausibility checksdescribed and further plausibility checks can be carried outindividually or in any combination. It shall similarly be understoodthat sub-step 110.9 can optionally also be omitted.

If the plausibility checks in sub-step 110.9 are positive, in anascertainment step 110.10 of the verification step 110.5 it is verifiedif the ink cartridge 107 is a used or an unused ink cartridge. In thepresent example this takes place simply in that it is detected if duringthe previous verification of the serial number SN in step 110.6 it was acase of the first verification of this serial number SN in the datacenter 106.

Here it should be noted that in the sequence described above with theverification of the item of fill level information FS in step 110.9 thedetection that an unused ink cartridge is involved also takes placeusing this item of fill level information FS. It shall be understood,however, that with the other variants of the invention, in which no suchplausibility check of the item of fill level information FS takes place,it is also possible to infer an unused ink cartridge exclusively fromthe first verification of the serial number SN.

If in the ascertainment step 110.10 it is ascertained that an unused inkcartridge is involved, in an accounting step 110.11 accounting takesplace in that in the data center 106 an accounting memory assigned tothe registered user of the franking machine 102 is modified accordingly.In this way, in the manner described extensively at the outset, it ispossible to postpone payment for use of the ink cartridge 102 to a pointin time that is considerably closer to the point in time of actual usethan is the case with the conventional method by which the full pricehas to be paid at the same time as the ink cartridge is purchased.

Apart from the advantages extensively described at the outset concerningthe commercial attractiveness of bringing into circulation piratedproducts (that is to say counterfeit or refilled ink cartridges) thishas the advantage that for ink cartridges, which between purchase andactual usage are lost or become completely unusable (for example due todamage, obsolescence from being held in stock too long, and so on), theuser only has to pay the considerably lower purchase price and thussuffers a lower commercial loss than with conventional systems where thefull usage price has to be paid at the time of purchase of the inkcartridge.

In a step 110.12 in the second security module 106.2 using a secret codeof the data center 106 a cryptographic certificate ZERT is then createdby means of an item of certification information ZI, which comprises atleast parts of the first item of authorization information AUT1,preferably the entire first item of authorization information AUT1. Theitem of certification information ZI also comprises inter alia an itemof initial verification time information representative of the point intime that the verification step 110.5 was first carried out, in this waytherefore also that of the generation of the certificate ZERT and anitem of validity information GI, which is representative of the durationof the validity of the certificate ZERT.

The validity information GI is preferably selected as a function of thephysical lifetime of the ink cartridge 107 (thus the period over whichthe ink cartridge 107 can fulfil its purpose correctly, for example thusthe ink is still usable). In this way it can therefore be provided thatthe validity of the certificate ZERT ends with the lifetime of the inkcartridge 107, wherein of course certain time tolerances can be providedwhich ensure that the ink cartridge 107 can be used across its entirephysical lifetime. It shall similarly be understood however that aperiod of validity for the certificate ZERT that differs from thislifetime can also be selected.

In a step 110.13 a second item of authorization information AUT2 withpositive content is then generated, which subsequently leads to enablingof use of the ink cartridge 107 in the franking machine 102. This seconditem of authorization information AUT2 comprises inter alia thepreviously created certificate ZERT and an item of positive enablinginformation FRIP, which optionally as well via cryptographic means, forexample a digital signature SIG, is secured and authenticated andsubsequently in the franking machine 102 leads to enabling of use of theink cartridge 107.

In a subsequent logging step or registration step 110.14 a registrationof the ink cartridge 107 in the data center 106 takes place. To this endthe entry 106.7 assigned to its serial number SN is updated accordinglyin the third database 106.6, so that in the entry 106.7 a verificationhistory H assigned to the respective ink cartridge 107 is stored. Hereinter alia the certificate ZERT is archived in the entry 106.7.Similarly in the entry 106.7 the number of first verification steps110.5 previously carried out is updated, and thus in the case of thisverification step 110.5 being carried out for the first time thecorresponding part of the entry 106.7 is set to a value of one. Finally,the item of fill level information FS and the serial number SNFM of thefranking machine 102 sent with the first item of authorizationinformation AUT1 are logged in the entry 106.7.

It shall be understood that in connection with the logging furtherinformation can of course be logged in the verification history H of theentry 106.7. Thus for example the second item of authorizationinformation AUT2 (with the item of positive enabling information FRIP orthe item of negative enabling information FRIN) can similarly be loggedjust like the item of enabling information FRIN or FRIP. Similarly, ofcourse, further items of plausibility information can be stored in theverification history H, which are used at a later point in time inconnection with a further execution of the first verification step 110.5during the plausibility checks from step 110.9.

The logging entry of the verification history H in area 106.7 is finallyprovided with an item of logging time information PZI representative ofthe point in time of the logging.

In a second transmission step 110.15 the transmission of the second itemof authorization information AUT2 to the franking machine 102 takesplace.

As can be inferred from FIG. 2B (the links of which to FIG. 2A are shownby points 110.16 and 110.17), in a second verification step 110.18 inthe franking machine 102 a verification of the second item ofauthorization information AUT2 received then takes place, wherein itsauthenticity is checked in that the digital signature SIG of thesecurity module 106.2 of the data center 106 is verified.

The processor 102.1 also analyses the enabling information sent with thesecond item of authorization information AUT2. If this is an item ofpositive enabling information FRIP, then use of the ink cartridge 107 isenabled in a step 110.19 and a corresponding message is output via theoutput unit 102.4. If it is an item of negative enabling informationFRIN, then use of the ink cartridge 107 is disabled in a step 110.20 anda corresponding message is output via the output unit 102.4.

In a further step 110.21 in the franking machine 102 it is then verifiedif use of the ink cartridge 107 should take place, and in so doingtherefore if a franking imprint or other imprint should be generatedwith the ink cartridge 107.

If this is the case, in the present example in a further step 110.22 inthe processor 102.1 of the franking machine 102 it is verified if atheoretical fill level RFS of the ink cartridge 107 is below a tolerancerange, resulting from an actual fill level TFS and a fill leveltolerance TOL.

Here, the theoretical fill level is the result of the use of the inkcartridge 107 prior to the current step 110.22, which has been logged inthe first memory 102.3 (preferably secured by cryptographic meansagainst undetected manipulations), as is explained in more detail in thefollowing. If the current use is the first use of the ink cartridge, forthe theoretical fill level RFS its nominal fill level from at thefactory is used which for example can likewise be read out from thesecond memory 107.1 or alternatively with the second item ofauthorization information AUT2, in particular as a component of thecertificate ZERT, can be transmitted from the data center 106.

The actual fill level TFS can, as described above, be detected by acorresponding sensor on the ink cartridge 107. The fill level toleranceTOL takes into account possible variations that occur in practice innormal authorized use in the fill level of the ink cartridge 107 (as canoccur, for example, from the filling of the ink cartridge 107).

If the theoretical fill level RFS is below the sum of the actual filllevel TFS and the fill level tolerance TOL, thus taking intoconsideration the fill level tolerance TOL actually more ink isavailable than calculated from the previous use, then this is indicativeof an unauthorized filling or refilling of the ink cartridge 107.Accordingly in this case a jump is made to step 110.20 and use of theink cartridge 107 is disabled.

Otherwise the value of the theoretical fill level RFS is set in thefirst memory 102.3 of the franking machine 102 in a step 110.23 at thevalue of the actual fill level TFS, and in this way therefore thetheoretical fill level RFS is rest to the actual fill level TFS. Thesame applies for the second memory 107.1 of the ink cartridge 107, whichis likewise accordingly written to irreversibly, in order to log theactual fill level FS of the ink cartridge 107 there.

In a step 110.24 the use of the ink cartridge 107 then takes place andlogging of this use, wherein the theoretical fill level RFS in the firstmemory 102.3 of the franking machine 102 and the second memory 107.1 ofthe ink cartridge 107 is reduced by a value corresponding to the currentusage. For this the first processor 102.1 can for example use asufficiently known droplet counting for the current imprint (thus thecurrent usage). In this way the theoretical fill level RFS will be keptat the current level both in the ink cartridge 107 and in the frankingmachine 102 with each use.

In a step 110.25 it is then verified if an event is present whichresults in a regeneration and transmission of the first item ofauthorization information AUT1 to the data center 106. This also takesplace if in step 110.21 it is ascertained that currently no use shouldbe made of the ink cartridge 107.

Such an event, resulting in a regeneration and transmission of the firstitem of authorization information AUT1 to the data center 106, can be acase of any temporal or non-temporal event. Thus for example the expiryof a certain length of time T1 can be provided as a temporal event,after which a regeneration and transmission of the first item ofauthorization information AUT1 is absolutely essential. Similarly expiryof the validity of the certificate ZERT may also be involved.Non-temporal events can for example be considered as the removal of theink cartridge 107 from the print module 102.6, the reaching of a definednumber N1 of uses of the ink cartridge 107 or the reaching of a definedtheoretical fill level RFS1 or also the reinsertion of the ink cartridge107 in the print module 102.6.

If such an event exists in a step 110.26 a new first item ofauthorization information AUT1 is generated and transmitted to the datacenter 106. Here the procedure is as described in connection with step110.4, wherein for the item of fill level information FS of the firstitem of authorization information AUT1 the theoretical fill level RFSread out from the first memory 102.3 is used. In addition the first itemof authorization information AUT1 can comprise in addition to the serialnumber SN of the ink cartridge 107, the serial number SNFM of thefranking machine 102 and the item of fill level information FS, thecertificate ZERT also.

Initially, in a step 110.27, it is further verified if the procedure isto be ended. If this is the case the procedure ends in a step 110.28.Otherwise a jump back to step 110.5 is made, wherein then theplausibility checks in step 110.9 take place using the newly transmitteditem of fill level information FS and also a verification and checkingof the certificate ZERT, in particular a check of its validity, byaccessing the assigned verification history H in the entry 106.7assigned to the ink cartridge 107 in the third database 106.6.

Furthermore, in step 110.9 independently of the validity of thecertificate ZERT it is also verified if a certain length of time haspassed since the first execution of the verification step 110.5. If thisis the case, it can be provided that in this case also a secondauthorization message AUT2 is generated with an item of negativeenabling information FRIN.

Depending on the outcomes of the checks in steps 110.6, 110.9 and 110.10in turn a second authorization message AUT2 with an item of positiveenabling information FRIP or an item of negative enabling informationFRIN is generated (step 110.13 or 110.8), which then in the mannerdescribed above with the updating of the verification history H islogged in the assigned entry 106.7 (step 110.14), transmitted by thedata center 106 to the franking machine 102 and processed there in themanner described (steps 110.18, 110.19, 110.20 etc.).

In particular in the present example it is provided that in the eventthat for a formerly valid ink cartridge 107 or a formerly valid serialnumber SN in the event of generation of an item of negative enablinginformation FRIN a so-called deregistration of this serial number SN inthe data center 106 takes place. For this a corresponding modificationto the assigned entry 106.7 of the third database 106.6 is made. Thishas the result that during a subsequent repeated execution of the step110.6 it is already ascertained that it is no longer a case of a validserial number SN.

It shall be understood that with other variants of the invention inconnection with this deregistration it can also be provided that theentry 106.7 is simply irreversibly deleted in the third database 106.6.

It can also be provided that the ink cartridge 107 has in the meantimebeen used in the second franking machine 103, with the result that thisis ascertained in step 110.9 from the serial number of the secondfranking machine 103 transmitted (with the newly generated first item ofauthorization information AUT1).

In the present example it can be provided that the use of the inkcartridge 107 is only authorized in the first franking machine 102, inwhich it was registered for the first time. In this case there will be anegative outcome to the verification in step 110.9 and a second item ofauthorization information AUT2 with an item of negative enablinginformation FRIN results.

For the user of a plurality of franking machines in a group of frankingmachines registered at the data center 106 it can however be providedthat a change in use of the ink cartridge 107 between the frankingmachines of this group of franking machines is authorized. In this casewhen the ink cartridge 107 is used in another franking machine, forexample the franking machine 104, a positive outcome to the verificationin step 110.9 and a second item of authorization information AUT2 withan item of positive enabling information FRIP for the franking machine104 also result.

Furthermore such a change of the ink cartridge 107 can also beauthorized as a function of an identifier contained in the serial numberof the ink cartridge 107 (for example within the first 8 bits of theserial number SN). Thus ink cartridges for universal application (i.e.in any number of different franking machines 102 to 104) can be defined.Similarly, use can be restricted to a definable number of differentfranking machines 102 to 104.

As shown in FIG. 2B by the branch 110.29, in the present example it isprovided that following expiry of a further length of time T2 and/orafter a further specified number N2 of uses of the ink cartridge 107and/or after reaching a further theoretical fill level RFS2 a (possiblytemporary) disabling of the use of the ink cartridge 107 takes place, ifthe triggering of the generation and transmission of the new item ofauthorization information AUT1 takes place by expiry of the length oftime T1, the reaching of the number N1 of uses of the ink cartridge 107or the reaching of the theoretical fill level RFS1 results.

The event triggering this disabling is verified in the franking machine102 in a step 110.30, wherein in the case that no such event exists ajump back to step 110.21 is made and the use of the ink cartridge 107 inthe franking machine can continue to take place.

In the example described above the accounting step 110.11 takes place inthe data center 106. It shall be understood, however, that theaccounting step in other variants of the invention can also take placeat another point in time after the ascertainment step 110.10. Inparticular the accounting step can also take place in the frankingmachine 102, for example in its security module 102.2, wherein thesecond item of authorization information AUT2 then contains acorresponding item of accounting information which is correspondinglyprocessed and acted upon in the franking machine 102.

In the example described above the verification of whether the inkcartridge 107 can be used in various franking machines, could take placeas a function of an identifier stored in the serial number SN of the inkcartridge 107. It shall be understood that one or a plurality of theverifications described above can also take place as a function of suchan identifier in the serial number of the ink cartridge 107.

It is mentioned at this point that all or some of the memories of thefranking machine 102 and the data center 106 described above can takethe form of separate memory modules or also simply individual memoryareas of a single memory module of the franking machine 102 or of thedata center 106.

The present invention has been described above using examples relatingto franking machines. It shall be understood, however, that it can alsobe used in connection with other franking arrangements (for exampleso-called PC franking systems), in which no integration of theindividual components in a single housing exists. Similarly the presentinvention can also be used in association with any other consumptionarrangements, in which any consumable medium is consumed in acorresponding consumption arrangement.

Although modifications and changes may be suggested by those skilled inthe art, it is the intention of the inventor to embody within the patentwarranted hereon all changes and modifications as reasonably andproperly come within the scope of his contribution to the art.

1. Method for enabling the use of a consumable unit containing aconsumable medium in a consumption device of a consumption arrangement,comprising: in a first transmission step, a first item of authorizationinformation assigned to the consumable unit is transmitted from a dataprocessing unit of the consumption arrangement via a communicationsnetwork to a remote data center; in a first verification step in thedata center, a verification of the first item of authorizationinformation takes place; in an authorization step in the data center, asa function of the outcome of the first verification step a second itemof authorization information assigned to the consumable unit isgenerated; in a second transmission step, the second item ofauthorization information is transmitted via a communications network tothe data processing unit; in a second verification step in the dataprocessing unit, a verification of the second item of authorizationinformation takes place; in an enabling step in the data processingunit, as a function of the outcome of the second verification stepenabling the use of the consumable unit in the consumption device takesplace; and in an accounting step, as a function of the outcome of thefirst verification step and/or of the second verification stepaccounting for enabling the use of the consumable unit in theconsumption device takes place provided that, in an ascertainment stepof the first verification step, it is ascertained that the consumableunit was previously unused.
 2. Method according to claim 1, wherein: thefirst item of authorization information comprises a unique andunambiguous first item of identification information of the consumableunit; the ascertainment, that the consumable unit is unused, in theascertainment step takes place using the first item of identificationinformation by comparing the first item of identification informationwith a first item of comparative information stored in the data centerand ascertaining an unused consumable unit in the ascertainment steponly takes place if, for the first time, a definable relationshipbetween the first item of identification information and the first itemof comparative identification information exists.
 3. Method according toclaim 1, wherein: the first item of authorization information comprisesa first item of fill level information, which is representative of thequantity of the consumable medium available in the consumable unit; andascertaining that the consumable unit is unused, takes place using thefirst item of fill level information.
 4. Method according to claim 1,wherein: the first item of identification information comprises an itemof control information, which in particular is generated usingcryptographic means; the verification of the first item of authorizationinformation in the first verification step comprises a verification ofwhether a definable relationship between the item of control informationand a further part of the first item of identification informationexists; and enabling the use of the consumable unit takes place only ifthe definable relationship between the item of control information andthe further part of the first item of identification information exists.5. Method according to claim 1, wherein: in the authorization step inthe data center, in a registration step a registration of the firstverification step takes place in a verification history stored in thedata center and assigned to the consumable unit by assignment to thefirst item of identification information; the verification historycomprises a number of first verification steps assigned to theconsumable unit by assignment to the first item of identificationinformation, and/or comprises an item of verification time informationat least representative of the point in time of the current firstverification step and/or an item of initial verification timeinformation representative of the first point in time of execution ofthe first verification step assigned to the consumable unit byassignment to the first item of identification information, and/orcomprises at least a second item of identification information assignedto the data processing unit and/or comprises at least a first item offill level information representative of a quantity of consumable mediumcurrently available in the consumable unit; and/or the verificationhistory comprises at least a part of the second item of authorizationinformation, in particular the entire second item of authorizationinformation.
 6. Method according to claim 5, wherein: the first item ofauthorization information comprises a first item of fill levelinformation, which is representative of the quantity of the consumablemedium available in the consumable unit; in the first verification step,a comparison is made between the first item of fill level informationand an item of fill level limit information assigned to the consumableunit and/or at least a previous first item of fill level informationfrom the verification history assigned to the consumable unit,originating from a last authorization step previously carried out;enabling the use in the enabling step only if a definable relationshipbetween the first item of fill level information and the previous firstitem of fill level information exists, in particular the availablequantity of the consumable medium is less than the previously availablequantity of the consumable medium from the previous authorization step;and/or in a definitive disabling step a permanent disablement of use ofthe consumable unit takes place, if a definable relationship between thefirst item of fill level information and the previous first item of filllevel information exists, in particular the available quantity of theconsumable medium is greater than the previously available quantity ofthe consumable medium from the previous authorization step; and/or in adefinitive disabling step, a permanent disablement of use of theconsumable unit takes place if a definable relationship between thefirst item of fill level information and the item of fill level limitinformation exists, in particular the available quantity of theconsumable medium has reached or fallen below a limiting quantity of theconsumable medium defined by the item of fill level limit information;and in the definitive disabling step the first item of identificationinformation is assigned an item of disabling information in the datacenter, in the first verification step a verification is carried out, ofwhether the consumable unit has been assigned an item of disablinginformation, and enabling the use in the enabling step only takes placeif the consumable unit is not assigned any item of disablinginformation.
 7. Method according to claim 5, wherein: the first item ofauthorization information comprises a second item of identificationinformation assigned to the data processing unit, in the firstverification step a comparison is made between the second item ofidentification information and at least one previous second item ofidentification information from the verification history assigned to theconsumable unit, originating from a previous authorization step, inparticular the last authorization step previously carried out, andenabling the use in the enabling step only takes place if a definablerelationship between the second item of identification information andthe previous second item of identification information exists, inparticular the second item of identification information is identical tothe previous second item of identification information; and/or in thefirst verification step, a comparison is made between a current item oftime information and the item of initial verification time informationfrom the verification history assigned to the consumable unit andenabling the use in the enabling step only takes place if a definablerelationship between the current time information and the item ofinitial verification time information exists, in particular a timedifference between the current item of time information and the item ofinitial verification time information is less than a definable maximumusage time of the consumable unit.
 8. Method according to claim 1,wherein: the first transmission step takes place as a function of theoccurrence of at least one definable first event; and the at least onedefinable first event is at least one of creation of a connectionbetween the data processing unit and the consumable unit, release of aconnection between the data processing unit and the consumable unit,reaching of a definable first number of uses of the consumable unit,reaching a definable first consumption of the consumable medium, andreaching a definable first quantity of the consumable medium stillavailable in the consumable unit.
 9. Method according to claim 1,wherein: in a temporary disabling step, a reversible disabling of theuse of the consumable unit takes place as a function of the occurrenceof at least one definable second event; the at least one definablesecond event is at least one of release of a connection between the dataprocessing unit and the consumable unit, reaching a definable secondnumber of uses of the consumable unit, reaching a definable secondconsumption of the consumable medium, and reaching a definable secondquantity of the consumable medium still available in the consumableunit; and/or the temporary disabling step takes place only if, after alast occurrence of the first event and prior to an occurrence of thesecond event, no enabling step takes place.
 10. Method according toclaim 1, wherein: the first item of authorization information at leastprior to the first transmission step and/or during the firsttransmission step is secured by cryptographic means against undetectedunauthorized manipulation; and/or the second item of authorizationinformation at least prior to the second transmission step and/or duringthe second transmission step is secured by cryptographic means againstundetected unauthorized manipulations, and the second item ofauthorization information comprises at least a cryptographic certificategenerated by the data center in the authorization step, which in averification step prior to the enabling step is verified by the dataprocessing unit, and enabling of use takes place as a function of theoutcome of the verification step; and/or the first item of authorizationinformation comprises a previous cryptographic certificate generated ina previous authorization step, in particular immediately prior to thefirst transmission step, wherein the previous cryptographic certificateis verified in the first verification step.
 11. Method according toclaim 1, wherein: in the data processing unit after the enabling step, adetection of the consumption of the consumable medium takes place, byusing a use detected by the data processing unit of the consumable unitand/or a previous item of fill level information, a theoretical item offill level information, is ascertained that is representative of thetheoretical available quantity of the consumable medium available in theconsumable unit, and/or, via a detection unit, an actual item of filllevel information is identified, which is representative of the actualquantity of consumable medium available in the consumable unit; thetheoretical item of fill level information is compared with the actualitem of fill level information in the data processing unit in a filllevel verification step and the theoretical item of fill levelinformation is set to the value of the actual item of fill levelinformation, if the actual available quantity is less than thetheoretical available quantity by a first tolerance value; and/or in adisabling step, a disabling of use of the consumable unit by the dataprocessing unit takes place, if the actual available quantity exceedsthe theoretical available quantity by a definable second tolerancevalue.
 12. Method according to claim 1, wherein: in the accounting stepfor performing the accounting the content of at least one accountingmemory is modified; the at least one accounting memory is arranged inthe data processing unit; and/or the at least one accounting memory isarranged in the data center.
 13. Method according to claim 1, wherein:in a production step prior to the first verification step, a pluralityof first consumable units and second consumable units is produced,wherein, in a memory of a first consumable unit, a first item ofidentification information of the first consumable unit is assigned afirst identifier, and in a memory of a second consumable unit, a firstitem of identification information of the second consumable unit isassigned a second identifier; and at least a verification of a definablerelationship between first items of information and second items ofinformation takes place in the first verification step and/or in theauthorization step and/or in the second verification step and/or in theenabling step and/or in a fill level verification step as a function ofthe identifier assigned to the consumable unit; and/or at least amonitoring of the occurrence of a definable event as a function of theidentifier assigned to the consumable unit takes place.
 14. A mediumconsuming system comprising: a consumable unit containing a consumablemedium; a consumption arrangement comprising a consumption deviceconfigured to use the consumable unit and an associated data processingunit configured to control use of the consumable unit; a data centerremote from the consumption arrangement and connectable via acommunications network to the data processing unit; the data processingunit being configured to, in a first transmission step, transmit a firstitem of authorization information assigned to the consumable unit viathe communications network to the remote data center, and in a firstverification step, perform a verification of the first item ofauthorization information, and in an authorization step, generate, as afunction of the outcome of the first verification step, a second item ofauthorization information assigned to the consumable unit, and in asecond transmission step, transmit the second item of authorizationinformation via the communications network to the data processing unit;the data processing unit configured to, in a second verification step,perform a verification of the second item of authorization information,and in an enabling step, enable, as a function of the outcome of thesecond verification step, use of the consumable unit in the consumptiondevice; and at least one of the data processing unit and the data centeris configured to implement, in an accounting step as a function of theoutcome of the first verification step and/or of the second verificationstep, an accounting for enabling the use of the consumable unit in theconsumption device; and said at least one of the data processing unitand the data center is configured to implement the accounting step,provided that, in an ascertainment step of the first verification step,it is ascertained that the consumable unit was previously unused.